This application relates to data processing systems and in particular to rule and/or regulation compliance for legacy data processing applications.
With the increasing use of computers in almost every business and administrative transaction, there is a corresponding need to ensure compatibility and compliance with new rules and regulations. Rules may originate internal to an organization and may relate to dealing with data processing security threats. Such rules may, for example, require particular employees to observe precautions such as password protecting access to systems that contain sensitive data such as customer credit card numbers.
However other, more stringent data compliance requirements now originate as regulations imposed by government authorities. For example, the U.S. Government has passed comprehensive legislation encompassing the interchange and protection of healthcare information, popularly known as the Health Insurance Portability and Accountability Act (HIPAA). This law is intended to protect patient health information from unauthorized disclosure. It does seem clear that initial targets of HIPAA compliance are likely to be major insurers and healthcare providers, however the severity of possible penalties and possible exposure to litigation and unfavorable press coverage makes compliance an issue even for smaller healthcare providers.
Compliance with this legislation has become a significant challenge for all healthcare organizations. The cost, time and business risks of remediation of existing software applications are prohibitively expensive and risky in many instances. For example, many healthcare software applications still run on main frame type systems that were originally coded more than 20 years ago. Given the uncertainties of enforcement versus the certainty of breaking legacy applications by attempting to rewrite them, some healthcare providers are choosing not to comply whatsoever.
Several other regulations and also internal company auditing standards require similar low level user application monitoring. For example, government agencies often require their contractors to have functionality in place to comply with security, auditing, and reporting standards such as NISPOM, DISKID, TEMPEST and the like. Privacy regulations such as the GLBA or even the California Privacy Act require similar visibility into specific uses of applications. Some organizations are also beginning to implement internal systems for compliance with security procedures that need to be audited at a very low level.